Jeff,
I apologize to you and the rest of the pem-dev implementors if you feel that
this issue has dragged on for too long. However, as someone responded when
someone else asked how many angels could dance on the head of an ASN.1
pin, interoperation would seem to be the sine qua non of PEM, and if we don't
have a common understanding as to how the PCAs operate or what the legal
consequences of our actions are when we digitally sign something, that would
seem to be pretty important.
I understand that RSA intends to open up a news list or BBS similar to
pem-dev for potential users of its Commercial Hierarchy PCA, and I
would encourage TIS to open up a similar list for the TIS-PCA. Perhaps
such a move would divert these discussions to their "proper" place.
However, it would be a shame, IMHO, if the cross-fertilization
between the two different types of users were lost completely.
I am somewhat confused by your statement regarding "misinterpretation"
of the PEM standard. You say:
... The PEM standard
specifies a policy statement for a PCA not to constrain the users of
the leaf certificates issued under that particular PCA's tree but to
state under what conditions that certificate was issued.
I don't know if I am the one who is guilty of the misinterpretation,
but I am not trying to constrain the users to do or not do anything
in particular. However, I am searching for a way to PROTECT those
users who might potentially be defrauded or be unjustly held liable for
some act they didn't commit, because their keys were somehow
compromised and used to forge that user's signature. If we could afford to
have smart cards with built-in biometrics to protect against the theft of keys
maybe this wouldn't be an issue, but for now, that approach is out of the
question for most users.
... Hence, for
example, a policy statement should not declare a signature generated
with a key from a certificate issued under the corresponding PCA
invalid for a particular purpose.
Unfortunately, I have been unable to figure out how to simply and easily
protect a user from a very broad range of potential liabilities in the event of
the theft of his key without such an approach.
I am therefore urging that a PCA state in its Policy, that AS A CONDITION OF
ISSUING A CERTIFICATE TO A CA:
(1) the CA shall require its users to agree to comply with the PCA's
Policy,
(2) that the PCA, the CA, and/or its users shall publish a readily
accessible statement saying what they are or are not willing to
be bound to by with respect to their digital signature, and that
(3) in the absense of such a published statement their digital
signature
is for all intents and purposes essentially undefined, and is
therefore
null and void.
Do you feel that such a requirement by a PCA violates either the spirit or the
letter
of the intent of the PEM standards? I certainly don't.
In particular, relative to the issue of privacy-without-liability that Doug
Porter
seems to want, I don't see anything wrong with having a PCA state as a
condition of issuing a certificate, that the PCA, the CAs, and all of the users
certified under that PCA tree formally renounce any and all responsibility
for any and all damages incurred by anyone or any organization as a
consequence of accepting a digital signature certified under that PCA's tree
as a legal authorization to do anything at all, and that no liability for any
legal actions is intended at all.
I don't have any problem communicating with complete privacy with anyone
certified under such a "What, Me Worry?" PCA, and I can still accord individual
correspondents I communicate with whatever degree of credibility I wish, based
on their most recent utterances. Their certificate will contain their public
key so
I can encrypt a message to them if I wish, and the use of a CA will at least
guarantee that their DN is unique, avoiding a vast amount of potential
confusion.
But I will know that if they send me what appears to be a digitally signed
check,
or an offer to buy my house, or an authorization to proceed on a given task
or contract, etc., that I had better get it in writing, because I can't assume
that
their digital signature carries any legal weight.
On the other hand, if I subscribe to the "My Word is My Bond" PCA, and I receive
from the PCA, the CA, or the user himself a statement that defines exactly what
his digital signature means or does not means in a particular context, I can
check
to see if the check, offer to buy my house, etc., is covered by that statement,
and
I will then know how to proceed.
I think that this is what I have been saying all along, and I don't see why
it doesn't satisfy the needs of both types of users without requiring any
change at all to the PEM RFCs or to the existing or intended implementations.
The concrete example I most often envision is the policy for the PCA
run by the Federal Reserve Board (one of perhaps hundreds of PCAs in
the US alone, according to my personal PEM world view).
I tend to share that PEM world view. And by the way, I don't think the issues we
have been discussing are unique to PEM. Instead, I think they are inherent in
figuring out the trust implications of ANY use of X.509 certificates. The
important
question is who issued the certificate, AND UNDER WHAT CIRCUMSTANCES
OR POLICY?
It is likely that legislative and judicial assistance will be provided
users in the form of laws requiring certain fiduciary responsibilities
for (at least some classes) of PCA operators. Likewise, legal
definitions of the meaning of a digital signature will, also, be drawn
up (and not, I suspect, requiring the signer to file a multipage,
densely worded document attesting to their intentions to be bound by
affixing their digital signature to a document). However, as a design
and implementation issue, these concepts do not bear upon PEM or
pem-dev.
Having attended two ABA workshops on the subject of Notarization and
Nonrepudiation, and on Certification Authorities, I think that we are one to
two years away from even seeing an ABA resolution in this area, and perhaps
5 to 10 years away from seeing the type of legal protection that we currently
have
in the area of credit card transactions. The law moves slowly, for good reason,
and there is an awful lot of education that will be required before we see
digital signatures generally embraced in the Uniform Commercial Code.
In the meantime, as a technologist who has been involved in developing and
implementing these concepts for the last 8 to 10 years, and as the senior
individual who will be involved in operating the CA for GTE Laboratories
(including using the BBN-developed SafeKeyper device), I believe that I owe
it to my management and, more importantly, to the users and others within GTE
who are not specialists in this field and who will have to take it on faith (as
they do lots of other kinds of technology), to ensure that their risks are
commensurate with the benefits to be gained.
I'm sorry if you don't think these are design issues, for I do. But I think I
can state categorically that if you wish to see significant deployment of
PEM throughout the business community at large, these IMPLEMENTATION
isues must be resolved to everyone's satisfaction before we can proceed.